[nsd-users] Can XoT use self-signed certificates?
Klaus Darilion
klaus.darilion at nic.at
Tue Mar 18 21:32:49 UTC 2025
Another thing: it seems that mutual TLS with NSD as primary requires tls-cert-bundle to be set explicitly. I.e. my secondary has a public certificate from lets encrypt, and I would expect that the default tls-cert-bundle should work. But it does not. I get the misleading error (debug log level):
nsd[2588241]: client cert does not match my-tls xot-test-secondary.ops.nic.at
nsd[2588241]: axfr for test.klaus. from 193.46.106.61 refused, no acl matches
But after explicitly setting the tld-cert-bundle to the LE root CA it suddenly worked:
tls-cert-bundle: /etc/ssl/certs/ISRG_Root_X1.pem
nsd[2600852]: my-tls xot-test-secondary.ops.nic.at verified
nsd[2600852]: axfr for test.klaus. from 193.46.106.61 tls-auth xot-test-secondary.ops.nic.at
So, the above error was wrong and should be something like “failed to verify certificate issuer”.
Further, why is it necessary to explicitly set the tls-cert-bundle? I guess there is a reason as Bind9 also requires to manually set the ca-file for mutual TLS and client verification. I just don’t understand why. Further it complicates life. If my Secondary-DNS provider has a certificate from a well known CA, and the hostname verification succeeds, I want to accept the client cert, regardless if the certificate was issued by Lets Encrypt, Sectigo or Comodo.
Thanks
Klaus
--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria
From: nsd-users <nsd-users-bounces at lists.nlnetlabs.nl> On Behalf Of Willem Toorop via nsd-users
Sent: Tuesday, March 18, 2025 4:39 PM
To: nsd-users at lists.nlnetlabs.nl
Subject: Re: [nsd-users] Can XoT use self-signed certificates?
Op 18-03-2025 om 14:14 schreef Klaus Darilion via nsd-users:
Answering myself (untested yet): It seems that ‘tls-cert-bundle:’ may be the solution to manually specify trust anchors. Frankly, this is a ‘server:’ option but I would have expected it under the tls-auth: section to be configurable per tls-context.
We could modify that of course, but personally I also feel for the pin authentication that Knot-dns employs. Would that work for you?
Regards,
-- Willem
Regards
Klaus
From: nsd-users <nsd-users-bounces at lists.nlnetlabs.nl><mailto:nsd-users-bounces at lists.nlnetlabs.nl> On Behalf Of Klaus Darilion via nsd-users
Sent: Monday, March 17, 2025 2:32 PM
To: nsd-users at lists.nlnetlabs.nl<mailto:nsd-users at lists.nlnetlabs.nl>
Subject: [nsd-users] Can XoT use self-signed certificates?
Hi!
I am testing XoT with NSD as secondary.
As far as I see, for certificate validation always the OS installed CA certificates are used. (/etc/ca-certificates.conf in Ubuntu)
Is it possible to use self signed certificates and manually configure a trust-anchor (e.g. ca-file option in many other TLS supported software)?
Is it possbile to use opportunistic/ephemeral TLS as supported by Bind?
Thanks
Klaus
_______________________________________________
nsd-users mailing list
nsd-users at lists.nlnetlabs.nl<mailto:nsd-users at lists.nlnetlabs.nl>
https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250318/a0f83732/attachment-0001.htm>
More information about the nsd-users
mailing list